Health care data-sharing rules touch off intense lobbying fight

HHS wants to finalize the rules early this year, a person familiar with the regulatory process told POLITICO. Don Rucker, who leads HHS’ health IT office, had previously said he wanted a roll-out late last year. The rules originated in his office, known as ONC, as well as CMS.

The number of interests affected by the bill have provoked speculation the final rule could lead to lawsuits. “I’d never heard of organizations threatening to sue ONC before,” said Jeff Smith, vice president of the American Medical Informatics Association, but he’s heard it’s “something organizations are contemplating.”

The Office of Management and Budget has taken 12 meetings on the two rules since November — a surprising level of interest given the late stage of the rules, which were proposed last February.

Last week, HHS Secretary Alex Azar held a meeting — promoted on Twitter — on “the work we are doing to take on the status quo and empower patients.” Participants included Deven McGraw of startup Ciitizen and Cynthia Fisher, a patient advocate who sits on HHS’ Health IT Advisory Committee. Both are firm proponents of expanding patient data access.

“The administration was asking us as a group to represent what’s best for patients,” said Fisher, who contrasted their contribution to “special interests, who have numerous lobbyists and their own interests.”

“They hear from the Epics and Cerners,” she said, referring to the two biggest U.S. digital health software companies, but the administration wants to make sure patients’ advocates have “readily available access.”

But many in the industry say they have patients’ best interests at heart in asking for increased privacy protections as part of the rule.

“The primary beneficiaries of this rule are venture capitalists and others taking advantage of patient data,” said Epic executive Sumit Rana in an interview Monday. Disclosing patient records in unfettered fashion can hurt patients, he said.

The rule’s promise of eased access to a patient’s entire medical record through an interface is an invitation for app developers — well-funded and sketchy alike — to pick over patient data and commercialize it, he said. In that, he said the proposed rules “go well beyond the 21st Century Cures Act,” which sought to modernize health care with better use of IT.

Epic has linked arms with groups like the American Medical Association, which has emphasized the potential harms to patient privacy. Recent news stories about Big Tech access to health data, such as Google’s arrangement with the Ascension health system, have sharpened the edge of this critique.

Epic, a privately held company little known outside health care, rolled out a publicity campaign in the past few months, putting up billboards in Washington metro stations and at Reagan National Airport. Policymakers “don’t know how our software is used, how it saves lives,” Rana said.

On Tuesday, Thompson — who as HHS secretary was Azar’s boss — argued in a Wisconsin State Journal column that the rules would “compel Epic to give its trade secrets away to venture capitalists, Big Tech, Silicon Valley interests, and overseas competitors for little or no compensation.”

Thompson’s critique — that the proposed rule’s provisions on data-access would undermine Epic’s investments in software — has been echoed by others in the health IT industry, and found an audience on the Hill.

Georgia Rep. Doug Collins and North Carolina Sen. Thom Tillis, Republicans seated on their respective chambers’ Judiciary committees, have sent letters to ONC airing their concerns about threats to intellectual property.

The rule “will force health IT developers to disclose proprietary screen designs and other trade secrets,” Collins wrote in a July letter. That may “also enable competitors to steal algorithms, configurations, and other information of significant value to the industry.” In an interview Tuesday, Tillis said he and ONC have continued to discuss intellectual property concerns from the rule.

Researchers and doctors have long argued that sharing screenshots of electronic health records is crucial to improving usability and safety problems with the software. Non-disclosure provisions in record contracts effectively gag them from open discussion of such problems, they say. The rules expressly allow screenshots — to the chagrin of developers.

Privacy and intellectual property concerns aren’t the sole worries provoked by the rules: Hospital groups have also denounced a proposal to require Medicare participants to issue notifications when a patient enters or leaves a hospital.

Adam Cancryn contributed to this report.